At a glance.
- Italian email provider hacked.
- Data exposure at local government payment processor.
- Joint UK-US advisory on COVID-19 cyber risks.
- Epidemic contact tracking apps have privacy issues.
- Under pressure, Zoom strives for better privacy.
- NSO Group points out it doesn't operate its tools: government customers do.
Italian email provider discloses that 600,000 users' data are for sale in a dark web black market.
ZDNet reports that Email.it suffered a breach that lost data on more than 600,000 users. The hoods (NN Group, "NN" for "No Name") hawking the goods in the souk claim they hacked the email provider some two years ago. They claim to have "plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020." They first tried extortion, but Email.it declined to pay and turned the matter over to the police.
Payment processor for local governments exposed transactions.
BinaryEdge found an exposed database that contained information about fines and utility bills. The data belonged to nCourt, a company that operates payment processors for local governments in the US states of Arkansas and Oklahoma. The records, some of which TechCrunch determined had shown up in a hacking forum, included names, paycard information, addresses, and other items of interest to fraudsters. nCourt closed access to the database Monday.
NCSC and CISA issue a joint warning over COVID-19-themed threats.
British and American cybersecurity agencies have issued some joint advice on cybersecurity. It covers the ways in which the coronavirus pandemic and the sharp rise in remote work that's been a prominent part of the international response to the disease has produced new approaches by threat actors and opened up some unfamiliar attack surfaces in users. The advisory by the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) contains much that bears on techniques of preserving privacy.
Much of the malicious activity is being carried by email. CISA’s Assistant Director for Cybersecurity, Bryan Ware, said, “As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business. Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond. We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19. We are all in this together and collectively we can help defend against these threats.”
The NCSC’s cover note adds some sensible overarching cautionary advice: “This is a fast-moving situation and this advisory does not seek to catalogue all COVID-19 related malicious cyber activity. You should remain alert to increased activity relating to COVID-19 and take proactive steps to protect yourself and your organisation.”
Contact-tracking apps fumble privacy.
Government contact tracking apps are achieving a decidedly mixed privacy record. Many governments are scrambling to find ways of tracking contacts at scale during the pandemic, and as Computing reports, there’s a general search for tools that can do this in ways that don’t compromise individual privacy. So far the apps being deployed, however, aren’t inspiring confidence in this respect. Researchers at ZeroFox report that the governments of Italy, Colombia, and Iran have stumbled badly with respect to the privacy protections of the mobile apps they’ve pushed out. It seems reasonable to assume that this is a more general problem. ZeroFox doesn’t attribute the privacy issues to bad intent, not even, we must observe in fairness, in the case of Iran. It’s just a difficult problem to solve, especially in haste and under emergency conditions.
Some public-private partnerships are also finding this is a tough challenge. A group of US Senators have written to Google's CEO Sundar Pichai to ask for an explanation of the company's Community Mobility Reports, intended as an aid in visualizing how people are moving around, and in what proximity to one another, during periods of required or recommended social distancing. The data in those reports are aggregated and anonymized, but the Senators remain uneasy. They're particularly concerned with collection of geolocation data, with the possibility that such data might be de-anonymized, and with the possibility that such data might be shared with government agencies other than the declared public health authorities. They're also (paradoxically) concerned that the data might leave someone out. What if you're not a smartphone user, or a regular carrier of your mobile device? You don't count?
Zoom continues to struggle with privacy issues.
ZDNet writes that Zoom, the teleconferencing service whose use exploded during the current pandemic, has brought in Alex Stamos, formerly Facebook’s security chief and subsequently a fellow at Stanford, as an independent security consultant. Stamos emphasized in a blog post that he’s neither an employee nor an executive at Zoom, but that he’s attracted to the challenge of how a low-friction collaboration platform might scale without presenting attackers with an equally low-friction opportunity.
Zoom is also facing official suspicion. Taiwan has banned the service entirely, largely because of the company’s ties with Chinese enterprises, and because, the Register notes, Zoom sends so much of its traffic through China. And Politico reports that in the US a group of Democratic members of Congress are asking the Federal Trade Commission to investigate Zoom's privacy and security practices.
NSO Group defends itself as a lawful intercept vendor.
NSO Group in its ongoing litigation with Facebook claims, basically, that spyware doesn’t spy; spies do. The company doesn’t, the Guardian reports, operate the technology it sells. That’s fair enough, maybe, but the matter raises some questions about lawful intercept tools in general. There are certainly technologies that seem to have legitimate markets, but that need to be sold to a restricted set of buyers--military weapons in general would seem to fall into this category, as do many articles of police equipment. Perhaps that’s the sort of model that might be applied to lawful intercept tools. Bugging La Cosa Nostra is one thing. Bugging a political opponent or an unsympathetic journalist? Forget about it.